On 03:01 PM 5/24/2005, David D wrote:
>I am getting the following packet while looking for a Netbios issue where
>PC's are losing the ability to do name lookups.
>
>No. Time Source Destination Protocol Info
>1335 23.703679 10.1.xxx.xxx 10.1.255.255 NBNS Name
>query NB WWW.ZONEAGE.NET<00>
>0000 ff ff ff ff ff ff 00 40 ca 12 45 f3 08 00 45 00 .......@..E...E.
>0010 00 4e 66 79 00 00 80 11 b5 44 0a 01 0a e0 0a 01 .Nfy.....D......
>0020 ff ff 00 89 00 89 00 3a 83 02 a6 00 01 10 00 01 .......:........
>0030 00 00 00 00 00 00 20 46 48 46 48 46 48 43 4f 46 ...... FHFHFHCOF
>0040 4b 45 50 45 4f 45 46 45 42 45 48 45 46 43 4f 45 KEPEOEFEBEHEFCOE
>0050 4f 45 46 46 45 41 41 00 00 20 00 01 OEFFEAA.. ..
>
>The source IPAddress is x'd out because it's not coming from a single
>address but many in the subnet. The source address are machines (multiple
>machines) on my network, most are PC's but a few are even switches. I am on
>a single segment of a fairly large (600 machines) switched (but flat
>network - all same subnet) network.
>
>I assume I have a virus someplace but not sure where to begin to find it. A
>few of the machines have been scanned, registry checked. processes checked
>and there is nothing unusual about them...
>
>Any thoughts or ideas where to look next?
Why would you assume a virus? Because of the name lookup? Since you mentioned netbios issues, I'm assuming you still have WINS servers? Have you looked at possible WINS database (I'm being kind by calling it a DB) issues?
BTW, are you saying that your switches are sending out name queries?
hsb